Good guidance or mistaken misdirection: Assessing the quality of password advice

Modern websites often require users to create accounts in order to utilise services or store information. With password leaks appearing on an almost daily basis and being widely publicised, it is reasonable to assume that users should be adopting appropriate practices to secure their accounts and minimise their exposure to compromise. Despite the adoption of various password creation practices (e.g. password length and composition rules), appropriate guidance is often lacking. In order to bridge this gap, cybersecurity advice websites provide guidance to users to assist with the selection and use of appropriate passwords. This paper critically evaluates the advice provided by national-level guidance sites (often supported or implemented by government bodies). This guidance is likely to be a key source of reference for the populous of the respective countries and, as such, is worthy of examination to determine the effectiveness of the advice and the potential impact on individuals. As such, this paper presents a qualitative evaluation of the password guidance offered to end-users from a series of national cybersecurity advisory websites. The assessment is based upon a series of 11 criteria relating to password selection and management, with the guidance being rated as t0 whether it fully or partially addresses the related issues. This reveals that there is considerable variation in the scope and quality of the material, with some of the sources having areas of omission or even potential misdirection in the guidance being offered. Introduction Passwords are one of the most long-established cybersecurity technologies, in use across all manner of technology devices (from desktops and laptops to smartphones and tablets, plus extending into various IoT and smart devices), as well as providing the standard form of authentication for online sites and services. At the same time, they are amongst the most widely criticised forms of security, repeatedly shown to be poorly selected and managed by many of their users, and technologically dismissed as a relic of the past (Jobusch and Oldehoeft, 1989; Ives et al., 2004; Weber et al., 2008; Alomari and Thorpe, 2019). However, despite all the criticism, passwords are very much still in use, and extensively so. In all the time that they have been with us, successive new generations of users have continued to make the same mistakes and then fundamentals of good practice have failed to be learnt. As evidence of this, Table 1 summarises the top ten worst passwords from the most recent sets of results published by SplashData (TeamsID, 2016-2020). As can readily be seen, very little changes in the composition of the annual top ten, and there continues to be Furnell; Haskell-Dowland 2 Editors: G. Dhillon; D. Demetis; S. Furnell significant use of passwords that ought to be dismissed out of hand. It is perhaps surprising that systems do not block their use, or that users are still making such poor choices. And it raises the question of why the situation does not improve, despite such readily recognised problems and with a wealth of publicised evidence demonstrating the common failings. Table 1: Top ten worst passwords by year Rank 2015 2016 2017 2018 2019 1 123456 123456 123456 123456 123456 2 password password password password 123456789 3 12345678 12345 12345678 123456789 qwerty 4 qwerty 12345678 qwerty 12345678 password 5 12345 football 12345 12345 1234567 6 123456789 qwerty 123456789 111111 12345678 7 football 1234567890 letmein 1234567 12345 8 1234 1234567 1234567 sunshine iloveyou 9 1234567 princess football qwerty 111111 10 baseball 1234 iloveyou iloveyou 123123 Source: TeamsID (2016 – 2020) While a common reaction here is to blame the users for making poor choices and suggest that they ought to know better, it is relevant to pause for thought and consider why such choices might be made. Indeed, it is all very well to suggest that users should know better, but on what basis might they be expected to do so? Where exactly are they getting the support to guide them? Prior assessments of the guidance provided by popular websites certainly serve to suggest that there is frequently little upfront support, and often a lack of credible enforcement of password policies to weed out poor choices (Furnell, 2018). In the most recent assessment of ten leading sites (including Facebook, Google, Instagram, Twitter, and Yahoo!) only one provided upfront password guidance at the point of user sign-up. All sites offered some level of feedback in response to password selection attempts, but in several cases it was not particularly informative, indicating a problem but not usefully guiding the user to understand how to solve it (e.g. offering a message such as “Your password needs to be stronger”, which tells the user that their current choice is unsuitable, but without clearly defining what ‘stronger’ actually means) Even where it is provided, guidance can be significantly variable in terms of the focus and quality. Indeed users can sometimes get advice that is outright dangerous, such as the Italian online banking site that was advising its users to put their passwords into Google in order to determine if it was a suitable choice (“Insert it on Google: if it returns less than 10 results it means it’s a good password.”) (Franceschi-Bicchierai, 2019). Luckily, most password guidance is not this cavalier, but users could nonetheless be forgiven for getting mixed and confused messages. Given the clear lack of guidance on many popular web sites, perhaps these providers assume that users can already get the advice elsewhere. While this is a poor excuse to avoid providing guidance (or linking to it), it does serve to raise the question of what users would find in such other sources. With this in mind, this paper seeks to examine the level and consistency of advice that users might receive if they were to go looking for password guidance from the recognised cybersecurity advice sites in their own country. An assessment of password guidance In order to perform a qualitative assessment, it is necessary to establish an idea of what we might be looking for users to be told in relation to their use of passwords. With this in mind, Table 2 suggests a series of issues that users can commonly receive guidance on, relating to both the selection/creation of passwords and the subsequent management of them. It should be noted that some of these are potentially undesirable criteria, depending on the advice being given (e.g. current advice around password change is not to do it unless compromise is suspected; advice on storing passwords is not helpful if it is saying not to do it at all Good guidance or mistaken misdirection: An assessment of password advice on cybersecurity sites Information Institute Conferences, Las Vegas, NV, March 30 – April 1, 2020 3 – but it should guide people against putting them in discoverable locations). In all cases, there are different levels of depth and coverage that can be provided, ranging from merely flagging an issue, through to more fully explaining it. Table 2: Assessment criteria for coverage of password guidance Issue Description S el ec ti o n Bad choices Advice on the password choices that should be avoided, such as dictionary words, commonly used selections, and personal information. Composition Advice to use multiple character types, such as alphabetic, numeric and punctuation symbols. Length Guidance on the appropriate number of characters. Techniques Suggestion of techniques that may help to create good passwords, such as use of passphrases, memorable acronyms, etc. Two-Factor Guidance to supplement the password with two-factor authentication (2FA) where the option to do so is available. Uniqueness Highlighting the importance of using different passwords to protect different accounts/devices. M a n a g e m en t Changing Advice on the frequency or regularity with which passwords should be changed (which may include guidance on not doing it, unless compromise is suspected). Reuse Highlighting that previous password choices should not be reused. Sharing Flagging the importance of not divulging passwords to colleagues, family or friends. Storage Guidance on avoiding a discoverable record of passwords, such as writing them down or saving on devices in a plaintext format. Tools Highlighting the potential to use tools such as password managers/vaults for support. While the earlier research had looked at the password guidance and feedback on leading websites, these specific service-focused sites are arguably not the best candidates to assess in the current context, as they would potentially provide guidance that suits the needs of their site rather than good practice in general. Additionally, they are likely to focus on the password selection aspect (i.e. what the user needs to do in order to sign up to their site) rather than guiding on ongoing management or other aspects outside their own site. As such, the approach adopted for the current study was to examine national online security and safety websites that citizens in the countries concerned might naturally look toward as a primary source of official guidance. The selected sites are summarised in Table 3, noting also that (due to the authors’ own linguistic limitations) only sites presented in English were considered. Table 3: National advisory sources included in the assessment Country Advisory source Web address AU Australia eSafetyCommissioner www.esafety.gov.au/key-issues/how-to/protectpersonal-information CN Canada Get Cyber Safe www.getcybersafe.gc.ca/cnt/prtct-yrslf/prtctndntty/usng-psswrds-en.aspx IE Ireland webwise.ie www.webwise.ie/uncategorized/creating-strongpasswords/ NZ New Zealand netsafe www.netsafe.org.nz/passwords/ SG Singapore Gosafeonline www.csa.gov.sg/gosafeonline/go-safe-forme/homeinternetusers/use-strong-passwords Furnell; Haskell-Dowland 4 Editors: G. Dhillon; D. Demetis; S. Furnell UK United Kingdo